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Citations and explanations (Rule 70.7) 
CITATIONS 

The examination process has" revealed the following documents, 
which represent the general state of the art: 

Dl: WO 99 08 186 Al ^ 

D2: US 5 247 659 A 

D3: US 5 432 927 A 

D4: US 4 491 914 A 



STATEMENT 

The document Dl discloses a method and apparatus for providing 
fault- tolerance for in-circuit programming systems. The 
invention operates by storing a minimal set of code to 
initialise the in-circuit programming process in a protected 
memory (107) so that if the prograitiming process fails, the 
process can be restarted from the protected memory, see 
abstract. 

The computer device known from Dl, comprises processor means, 
an ordinary memory unit connected to the processor means and a 
supervisory unit, see figure 1 and page 6, line 11-17. 

The computer device known from Dl also includes a further 
memory unit that is arranged to comprise system instructions, 
wherein the computer device is arranged such that the 
processor means, at a restart is connected to the further 
memory unit and reads and executes instructions that are 
stored in the same, while the ordinary memory unit is 
disconnected from the processor means, see page 7, line 8-20. 

The further memory unit (ROM) mentioned in Dl and the ordinary 
memory unit (Flash) constitute two different, physically 
separate, memories, see page 7, line 17-20 and claim 24. The 
. * . • / ... 
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memory units are non-volatile memories. In a preferred 
embodiment, the two memory units constitute two parts of 
physically the same memory, but with different memory 
addresses, see claim 22. The further memory is write 
protected, when the computer is operative, see claim 23. 

The supervisory unit in Dl is arranged to generate a signal in 
dependence of a timer in such a manner that said restart 
signal is generated if no trigger-signal signal that sets the 
timer to zero is received within a predetermined time 
interval, see page 8, line 5-13. 

The memory safety circuit known from Dl is arranged to stop 
the reading from the ordinary memory unit and to connect for 
reading from said further memory unit when the restart signal 
is given, see page 9, line 2-11. The further memory unit is 
arranged to include system instructions with a high degree of 
functional security, see page 3, line 19-23. 

However, the claimed invention according to claims 1-15 is 
considered to deviate from the invention previously described 
in Dl in several ways. The invention in Dl concerns a computer 
arrangement with a security function adapted to be used for 
in-circuit programming systems. The mini-boot-code (107) is 
used for reboot only when in~circuit programming is carried 
out. According to the invention, restart is always performed 
from a further memory unit, while the ordinary memory unit is 
disconnected . 

Accordingly, the invention defined in claims 1-15 is novel and 
is considered to involve an inventive step. The invention is 
industrially applicable. 

Also document D2 discloses a computer device with a security 
function, see abstract. 

On power-up or system restart, the non-volatile store is 
tested. If the test is satisfactory, the bootstrap program is 
loaded from the normal load path. If not, the undefined 
bootstrap procedure may be entered. 

The invention described in D3 includes processor means, an 
ordinary memory unit connected to the processor means, 
auxiliary memory means and a supervisory unit, see claim 1. 

The auxiliary memory means known from D3 is arranged to 
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comprise system instructions, wherein the computer device is 
arranged such that the processor means, at a restart is 
connected to the further memory unit and reads and executes 
instructions that are stored in the same, while the ordinary 
memory unit is disconnected from the processor means, see 
claim 1 . 

Document D4 presents yet another computer device with a 
security function, see abstract. The invention presented in D4 
comprises two memories, see figure 3. 

However, none of the cited documents D2-D4, or any relevant 
combination of them reveals a computer with a safety function 
as defined by claims 1-15. 

Therefore the invention according to claims 1-15 is considered 
to meet the criteria of novelty, inventive step and industrial 
applicability. 



Form PC r/ll»l':A/4()9 (SupplcnienUiI nox)(Jnnuary 1998) 



• 

»IJCA1 



(12) INTERNATIONAL APPIJCATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 
Intemational Bureau 

(43) International Publication Date 
29 March 2001 (29.03.2001) 




PCT 



(10) International Publication Number 

WO 01/22220 Al 



(51) Intemational Patent Classification^: G06F 9/445, 
11/00, 11/30 

(21) Intemational Application Number: PCT/SEOO/01847 

(22) International Filing Date: 

22 September 2000 (2Z09.2000) 



(25) Filing Language: 

(26) Publication Language: 



Swedish 
English 



(30) Priority Data: 

9903422-5 22 September 1999 (22.09.1999) SE 

(71) Applicant (for all designated States except US)i SAAB AB 
[SE/SB]; S-581 88 Linkoping (SE), 

(72) inventors; and 

(75) Inventors/Applicants (for US only): ALMESAKER, 
Marieanne [SE/SE]; EkkaUegatan 3, S-582 30 linkoping 
(SE). NYSTROM, Bengt [SE/SE]; DiUstigen 6. S-589 23 
Linkoping (SE). 

(74) Agents: BERGLUND, Stefan et al.; Bjerb^ns Patentbyra 
KB, Ostennalmsgatan 58, S-114 50 Stockholm (SE). 



(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ. BA, BB, BG, BR, BY, BZ, CA, CH, CN, CR, CU, CZ, 
CZ (utility model), DE, DE (utility model), DK. DK (utility 
model), DM, DZ, EE, EE (utility model), ES, H, H (utility 
model), GB, GD, GE, GH, GM, HR, HU, ID, IL, IN. IS, JP, 
KE, KG, KP, KR, KZ, LC. LK, LR, LS , LT, LU, LV, MA, 
MD. MG, MK, MN, MW, MX, MZ, NO, NZ, PL, PT. RO, 
RU, SD, SE, SG, SI, SK. SK (utiHty model), SL. TJ, IM. 
TR, TT, TZ, UA, UG, US, UZ, VN, YU, ZA, ZW. 

(84) Designated States (regional): ARTPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZW). Eurasian 
patent (AM, AZ, BY. KG. KZ, MD, RU, TJ, TM), European 
patent (AT, BE, CH, CY, DE, DK, ES, H, FR, GB, GR, IE, 
IT, LU, MC, NL, FT, SE), OAPI patent (BF, BJ, CF, CG, 
a, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG). 

Published: 

— With international search report. 

For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations*" appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



(54) Title: A COMPUTER DEVICE WITH A SAFETY FUNCTION 




^ (57) Abstract: The invention concerns a computer device with a safety function in order to avoid non-necessary disconnection of 
the con^utCT device. The computer device comprises processor means (10), an ordinary member unit (12), a supervisory unit (14) 
O and a further member unit ( 16). The computer device is arranged such diat the processor means (10) at a restart generated by a lestait 
^ signal, is connected to the further memory unit (16) and reads and executes the instnicdons that aie stored in the same, while the 
\^ ordinary memory unit (12) is discormected from the processor means (10). 
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A COMPUTER DEVICE WITH A SAFETY FUNCTION 

5 

BACKGROUND OF THE INVENTION AND PRIOR ART 

The present invention concerns a computer device with a safety 
10 function for avoiding non-necessary disconnection of the computer 
device, comprising processor means, an ordinary memory unit 
connected to said processor means and arranged to comprise at 
least one program that is executed by the processor means, a 
supervisory unit that supervises the function of the computer device 
15 and that is arranged to, in case an error occurs, send a restart 
signal or a stop signal to the processor means. 

Such computer devices are already known. The supervisory unit 
may for instance constitute a so-called "watchdog timer". US-A-4 

20 763 296 describes the function of such a watchdog timer. Such a 
device thus has a timer that continuously is in operation when the 
computer device is used. If the timer reaches a predetermined 
value, i.e. if a predetermined time has elapsed, the watchdog timer 
generates a restart signal that causes a restart (reset) of the 

25 computer device. During normal use, the timer is set to zero at 
regular intervals by the normal program execution by the processor. 
In case an error occurs, for example if the computer executes an 
infinite subroutine, the timer will not be set to zero and the 
watchdog timer thus causes a restart of the system. 

30 

Also other kinds of computer devices with safety functions are 
already known. EP-A-481 508 thus describes a device that 
comprises a backup memory. When the current supply to the 
computer device is shut off, the status of the central processor and 
35 the content in a main memory are transferred to said backup 
memory. When then the computer device is started once again by 
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again connecting the current supply, that which is stored in the 
backup memory will be restored. 

EP-A-265 366 describes a computer device that comprises a 
5 primary memory and a backup memory. Switching from the primary 
memory to the backup memory is done by means of a "Backup 
Control System Transfer Mechanism". This mechanism is relatively 
complicated. At the generation of a power-on-reset signal, said 
mechanism secures that restart is done from the primary memory 
10 (see column 6, lines 21-28). 

There exists a need to improve the safety function of a computer 
device. There is thus a need of in a safe manner restarting the 
computer device when an error has been detected. Such an error 

15 that may cause errors in the operation of the computer is for 
example memory errors that may occur in the memory where 
programs that are executed in the computer device are stored. An 
error may also be caused by the software that is stored in the 
memory of the computer device. Such errors may for example occur 

20 when new software is used that has not been completely tested. 
Furthermore, there exists a need to secure the function of the 
computer device by relatively simple means. A further problem is to 
secure at least certain basic functions of the computer device when 
different errors occur. 

25 

SUMMARY OF THE INVENTION 

The purpose of the present invention is to achieve a computer 
device with a reliable safety function that, furthermore, is achieved 
30 by relatively simple means. 

This purpose is achieved by the initially defined computer device 
that is characterised by a further memory unit that is arranged to 
comprise at least some basic system instructions, wherein the 
35 computer device is arranged such that the processor means, at a 
restart generated by said restart signal from the supervisory unit, is 
connected to the further memory unit and reads and executes 
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instructions that are stored in the same, while the ordinary memory 
unit is disconnected from the processor means. 

By the fact that the processor means is connected to the further 
5 memory unit when a restart signal has been generated by the 
supervisory unit, it is avoided that possible errors that are present 
in the instructions that are stored in the ordinary memory unit are 
transferred to the processor means. A safer function of the 
computer device after that a restart signal has been generated in 

10 response to a detected error is thereby achieved. In this context It 
should be noted that when In the claims and in the description it is 
mentioned that a memory unit is connected to or is disconnected 
from the processor means, it is thereby not necessarily meant that 
the disconnection is done by physically breaking the connection 

15 between the processor means and the memory unit in question. The 
concepts connect to and disconnect thus comprise two possibilities: 
physical switching by breaking the connection, and the connection 
to and the disconnection from at a program level. 

20 It should be noted that by the concept "system instructions" is in 
this application preferably, but not necessarily, meant programs that 
control a system or a part of a system that is controlled by the 
computer device, i.e. the concept "system instructions" concerns 
application instructions. 

25 

According to an embodiment of the invention, the ordinary memory 
unit and the further memory unit constitute two different, physically 
separate, memories. By this feature an increased security is 
achieved since the ordinary memory unit is arranged as a separate 
30 memory that is completely disconnected from the processor means 
at a restart. 

According to an alternative embodiment of the invention, the 
ordinary memory unit and the further memory unit constitute two 
35 parts of physically the same memory, but with different memory 
addresses. Through this construction fewer memory components 
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are needed since the further memory unit is stored as a special part 
of the memory where also the ordinary memory unit is included. 

According to a further embodiment of the invention, said 
5 supervisory unit is arranged to generate a signal in dependence of 
a timer in such a manner that said restart signal is generated if no 
trigger signal that sets the timer to zero is received within a 
predetermined time interval. The supervisory unit may in this case 
thus constitute a so-called watchdog timer (WDT). Such a WDT 
10 often forms part of computer devices. Such a well functioning and 
already existing WDT may thus be used as a supervisory unit in the 
device according to the present invention. It should however be 
noted that also other kinds of supervisory units than a WDT may be 
used in the computer device according to the invention. 

15 

According to still another embodiment of the invention, the 
computer device comprises a memory safety circuit that is arranged 
to stop the reading from the ordinary memory unit and to connect 
for reading from said further memory unit when both said restart 

20 signal and a signal indicating applied supply voltage is the case. 
Such a memory safety circuit is a relatively simple and well 
functioning circuit that controls that switching from the ordinary to 
the further memory unit takes place. Furthermore, this memory 
safety circuit secures that such a switching only occurs if supply 

25 voltage to the computer device is present. 

According to a further embodiment of the invention, said further 
memory unit is arranged such that it comprises basic system 
instructions with a high degree of reliability. The further memory 

30 unit may hereby be arranged to comprise system instructions that 
have already been thoroughly tested and that therefore have a high 
functional reliability. The further memory unit may hereby also be 
provided with the basic system instructions for the computer device 
while non-necessary system instructions have been excluded from 

35 said further memory unit. 
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According to still another embodiment of the invention, said further 
memory unit is arranged such that it comprises system instructions 
with a degree of rjBliability that is higher than the degree of reliability 
that is the case in the ordinary memory unit. The ordinary memory 
5 unit may thus comprises system instructions that have not been so 
thoroughly tested in the computer device. The further memory unit 
may thereby comprise the basic system instructions that have 
already been shown to have a high reliability. Within the frame of 
the invention is of course also the possibility that the ordinary 
10 memory unit and the further memory unit comprise system 
instructions with the same degree of reliability. 

According to a further embodiment of the invention, at least said 
further memory unit is a non-volatile memory. This fact contributes 
15 to an increased functional reliability of the computer device. 

According to still another embodiment of the invention, said 
processor means comprises a working memory that is arranged 
such that at a restart of the computer device this woricing memory is 
20 reset before reading from said further memory unit is started. By 
this feature is secured that instructions that may comprise errors 
and that originate from the ordinary memory unit do not maintain in 
the working memory before reading from the further memory unit is 
started. 

25 

According to a further embodiment of the invention, said further 
memory unit is arranged to be write protected at least when the 
computer device is in operation. This fact contributes to further 
safety since the content in this further memory unit is protected and 
30 may not be modified when the computer device is in operation. 

According to still another embodiment of the invention, the 
computer device is arranged such that if said restart signal has 
been generated a predetermined number of times, then, in case an 
35 error occurs again, said stop signal is generated. This means that 
the supervisory unit generates a predetermined number of restart 
signals. If it happens that an error is the case even after that a 
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predetermined number of restart attempts have been made, the 
computer device is stopped. 

According to still another embodiment of the invention, the 
5 computer device comprises a switching member for manually 
generating said restart signal. This means that in addition to 
automatic generation of a restart signal by the supervisory unit, also 
a manual restart signal may be generated by an operator. An 
operator may thus order that a restart from the further memory unit 
10 is to take place. 

A further embodiment of the invention is clear from claim 13. This 
embodiment may also be combined with the features of one or more 
of the claims 2-12. 

15 

The purpose of the invention is also achieved by a method 
according to claim 14. This method has advantages corresponding 
to those described in connection with the device. The method 
according to claim 14 may also be combined with features 
20 corresponding to those defined in one or more of the claims 2-12. 

A preferred use of the computer device is to use it to control a 
system that is included in different vehicles, for example in aircrafts. 
An aircraft has many different functions that are controlled by a 
25 computer device. It is important that these functions function and 
that unnecessary disconnection of the computer device or of its 
operation concerning some application is avoided. This aim is 
achieved by a use according to claim 15. 

30 SHORT DESCRIPTION OF THE DRAWING 

The present invention will now be explained by means of a 
described embodiment, which constitutes an example of the 
invention, and with reference to the annexed drawing. 

35 

Fig 1 shows schematically a block diagram of an embodiment of the 
invention. 



wo 01/22220 



7 



PCT/SEOO/01847 



DETAILED DESCRIPTION OF AN EMBODIMENT OF THE 
INVENTION 

5 Fig 1 shows a block diagram of an embodiment of the invention. 
The computer device comprises a processor means 10. With this 
processor means 10 is meant not only the central processor unit 
(CPU) of the computer device but also other central parts of the 
computer device such as for example the working memory 22. The 

10 computer device also comprises an ordinary memory unit 12. This 
ordinary memory unit 12 may for example constitute some kind of 
PROM, for example UVPROM, EEPROM or the like. When the 
computer device first is started, the processor means 10 Is 
connected to the ordinary memory unit 12. This ordinary memory 

15 unit 12 is thus arranged to comprise the Instructions that control the 
operation of the computer device. The computer device also 
comprises a supervisory unit 14. The supervisory unit 14 supervises 
the function of the computer device and Is arranged to generate a 
restart signal or a stop signal to the processor means 10 if the 

20 supervisory unit 14 detects an error. The supervisory unit 14 may 
for example constitute a so-called watchdog timer (WDT). Such a 
WDT 14 generates a signal that depends on a timer 18. A restart 
signal is thereby generated if the WDT 14 within a predetermined 
time interval does not receive a trigger-signal that sets the timer 18 

25 to zero. In order to have a high reliability, the WDT 14 comprises 
suitably its own timer 18. It is however possible that the timer 
function of the WDT 14 Is controlled by the same clock that is 
included in the processor means 10. 

30 The computer device also comprises a further memory unit 16. This 
further memory unit 16 is arranged to comprise at least some basic 
system instructions. The further memory unit 16 may constitute a 
memory that is physically separated from the ordinary memory unit 
12. It is also possible that the ordinary memory unit 12 and the 

35 further memory unit 16 constitute two parts of physically the same 
memory. In order to further increase the reliability in case a memory 
error should occur, the ordinary memory unit 12 and the further 



wo 01/22220 



8 



PCT/SEOO/01847 



memory unit 16 may constitute physically separate memories of 
different kinds, for example from different manufacturers. The 
further memory unit suitably constitutes some kind of PROM, for 
example UVPROM or EEPROM. 

5 

The computer device also comprises a memory safety circuit 20. 
This memory safety circuit 20 may form a part of the processor 
means 10. In the shown embodiment, the memory safety circuit 20 
however constitutes a separate circuit. The memory safety circuit 

10 20 comprises an AND-gate 21. The memory safety circuit 20 
controls which of the ordinary memory unit 12 and the further 
memory unit 16 that is to be connected to the processor means 10. 
This control may either be formed by opening or closing the electric 
connection between the respective memory unit 12, 16 and the 

15 processor means 10 or also be formed by a control on a program 
level of these connections. It is also possible that the control Is 
done by a combination of software instructions and physically 
opening or closing. One input of the AND-gate is connected to a 
line 23 that indicates that a supply voltage is present. The other 

20 input of the AND-gate 21 is connected to a line 25 that is connected 
to the WDT 14. Via this line 25, a restart signal generated by the 
WDT 14 is lead to the AND-gate 21 and thereby to the memory 
safety circuit 20. 

25 The computer device also comprises a switching member 24 for 
manually generating a restart signal. This switching member 24 
may suitably be connected to the input of the AND-gate that is also 
connected to the WDT 14. 

30 The WDT 14 thus supervises the function of the computer device. 
When the computer device functions normally, the WDT 14 receives 
at regular intervals a trigger-signal from the processor means 10. 
This trigger-signal sets the timer 18 to zero. The WDT 14 does 
thereby not generate any restart signal to the line 25. If, however, 

35 an error occurs such that the WDT 14 does not receive any trigger- 
signal from the processor means 10 within a predetermined time 
interval, the WDT 14 generates a restart signal. This restart signal 
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is thus lead to one of the inputs of the AND-gate 21. When the 
AND-gate 21 receives such a restart signal, and if at the same time 
the other input of the AND-gate 21 detects that a supply voltage is 
the case, the memory safety circuit 20 controls that the ordinary 
5 memory unit 12 is disconnected from the processor means 10 and 
that the further memory unit 16 is connected to the processor 
means 10. Also the processor means 10 receives a signal, suitably 
from the WDT 14, that a restart Is to be performed. The working 
memory 22 of the processor means 10 is thereby reset, whereafter 
10 reading from the further memory unit 16 takes place. The reading is 
thereby done to predetermined addresses of the working memory 
22. The processor means 10 thus reads and executes the 
instructions that are stored in the further memory unit 16. 

15 It is conceivable that a restart attempt falls and that the WDT 14 
thus generates a new restart signal. If again an error is detected, 
further restart signals may be generated by the WDT 14. The 
computer device is thereby suitably arranged such that when a 
predetermined number of restart attempts have been made, the 

20 restart attempts are stopped. A warning function may thereby be 
generated by the computer device and the latest information 
concerning the status of the processor means 10 and the memory 
units 12, 16 may be registered for later analysis. The computer 
device is suitably arranged such that the restart attempts are 

25 stopped after for example one to four restart attempts, preferably 
after two restart attempts. The computer device may thereby be 
arranged such that the restart attempts are stopped if said 
predetermined number of restart attempts have been performed 
within a predetermined time interval. 

30 

In order to increase the safety, the further memory unit 16 is 
suitably arranged such that it is write protected when the computer 
device is in operation. Furthermore, suitably the ordinary memory 
unit 12 as well as the further memory unit 16 constitute non-volatile 
35 memories. 



wo 01/22220 PCT/SEOO/01847 

10 

The further memory unit 16 is suitably arranged such that it 
comprises basic system instructions with a high degree of reliability. 
The further memory unit 16 may thereby comprise primary and well- 
tested system functions. Suitably, the further memory unit 16 is 
5 arranged such that it thereby comprises system instructions with a 
higher degree of reliability than the system instructions that are 
present in the ordinary memory unit 12. By the expression "degree 
of reliability" may hereby for example be meant the software safety 
levels that are defined according to RTCA-standard document 
10 NO.RTCA/DO-178B. 

The computer device according to the invention may preferably be 
arranged to secure the normal function of the computer device 
under the execution of an application program even when an error 
15 occurs that otherwise would lead to a disconnection and a shut-off 
of the computer device, or at least to the interruption of the 
execution of the application program in question. The ordinary 
memory unit 12 thus comprises an application program that is 
executed by the processor means 10. In case an error occurs in the 
20 execution of at least said application program, the processor means 
10 is connected to the further memory unit 16 that is arranged to 
comprise at least some basic, already used and safe application 
instructions. The computer device is thus arranged such that the 
execution of the application that is controlled by the application 
25 program may continue on the basis of the application instructions 
that are retrieved from the further memory unit. 

According to a method according to the invention, If an error occurs, 
a connection to the further memory unit 16 that comprises at least 
some basic application instructions takes place. The execution of 
the application that is controlled by an application program may 
thereby continue on the basis of the application instructions that are 
retrieved from the further memory unit and that are read in a normal 
and traditional manner into the processor means 10 with a normal 
reset of the working memory 22. 
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The computer device according to the invention may also 
advantageously be used to control a system that is included in an 
aircraft. 

5 The present invention is not limited to the shown embodiment but 
may be varied and modified within the scope of the following claims. 
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Claims 

1. A computer, device with a safety function for avoiding non 
necessary disconnection of the computer device, comprising 

5 processor means (10), 

an ordinary memory unit (12) connected to said processor 
means (10) and arranged to comprise at least one program that Is 
executed by the processor means (10), 

a supervisory unit (14) that supervises the function of the 
10 computer device and that is arranged to, in case an error occurs, 
send a restart signal or a stop signal to the processor means (10), 
characterised bv 

a further memory unit (16) that is arranged to comprise at 
least some basic system instructions, wherein the computer device 
15 is arranged such that the processor means (10), at a restart 
generated by said restart signal from the supervisory unit (14), is 
connected to the further memory unit (16) and reads and executes 
instructions that are stored in the same, while the ordinary memory 
unit (12) is disconnected from the processor means (10). 

20 

2. A computer device according to claim 1 , wherein the ordinary 
memory unit (12) and the further memory unit (16) constitute two 
different, physically separate, memories. 

25 3. A computer device according to claim 1, wherein the ordinary 
memory unit (12) and the further memory unit (16) constitute two 
parts of physically the same memory, but with different memory 
addresses. 

30 4. A computer device according to any of the preceding claims, 
wherein said supervisory unit (14) is arranged to generate a signal 
in dependence of a timer (18) in such a manner that said restart 
signal is generated if no trigger-signal signal that sets the timer (18) 
to zero is received within a predetermined time interval. 

35 

5. A computer device according to any of the preceding claims, 
comprising a memory safety circuit (20) that is arranged to stop the 
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reading from the ordinary memory unit (12) and to connect for 
reading from said further memory unit (16) when both said restart 
signal and a signal indicating applied supply voltage is the case. 

5 6. A computer device according to any of the preceding claims, 
wherein said further memory unit (16) is arranged such that it 
comprises basic system instructions with a high degree of reliability. 

7. A computer device according to claim 6, wherein said further 
10 memory unit (16) is arranged such that it comprises system 

instructions with a degree of reliability that is higher than the degree 
of reliability that is the case in the ordinary memory unit (12). 

8. A computer device according to any of the preceding claims, 
15 wherein at least said further memory unit (16) is a non-volatile 

memory. 

9. A computer device according to any of the preceding claims, 
wherein said processor means (10) comprises a working memory 

20 (22) that is arranged such that at a restart of the computer device 
this working memory (22) is reset before reading from said further 
memory unit (16) is started. 

10. A computer device according to any of the preceding claims, 
25 wherein said further memory unit (16) is arranged to be write 

protected at least when the computer device is in operation. 

11. A computer device according to any of the preceding claims, 
arranged such that if said restart signal has been generated a 

30 predetermined number of times, then, in case an error occurs again, 
said stop signal is generated. 

12. A computer device according to any of the preceding claims, 
comprising a switching member (24) for manually generating said 

35 restart signal. 
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13. A computer device arranged to secure the normal function of 
the computer device under the execution of at least one application 
program also when an error occurs that normally leads to 
disconnection and shut-off of the computer device or at least to 
5 disconnection concerning said application program, which computer 
device comprises 

processor means (10), an ordinary memory unit (12) connected to 
said processor means (10) and arranged to comprise at least an 
application program that is executed by the processor means (10), 
10 a supervisory unit (14) that supervises the function of the computer 
device and that Is arranged to, in case an error occurs in the 
execution of at least said application program, send a restart signal 
or a stop signal to the processor means (10), 
characterised by 

15 a further memory unit (16) that is arranged to comprise at least 
some basic application instructions, wherein the computer device is 
arranged such that always when a restart takes place in response 
to a restart signal generated by the supervisory unit (14), the 
processor means (10) is connected to the further memory unit (16) 

20 and reads and executes instructions that are stored in the same, 
while the ordinary memory unit (12) is disconnected from the 
processor means (10), wherein the computer device is arranged 
such that the execution of the application that is controlled by said 
application program may continue on the basis of the application 

25 instructions that are retrieved from the further memory unit, wherein 
the execution of the application in question may continue without 
the necessity for the computer device to be disconnected. 

14. A method for securing the normal function of a computer 
30 device under the execution of at least one application program also 
when an error occurs that normally leads to disconnection and shut- 
off of the computer device or at least to disconnection concerning 
said application program, which computer device comprises 
processor means (10), 
35 an ordinary memory unit (12) connected to said processor means 
(10) and arranged to comprise at least one application program that 
is executed by the processor means (10), 
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a supervisory unit (14) that supervises the function of the computer 
device and that is arranged to, in case an error occurs in the 
execution of at least said application program, send a restart signal 
or a stop signal to the processor means (10), 
5 a further memory unit (16) that is arranged to comprise at least 
some basic application instructions, 

which method comprises that always when a restart takes place in 
response to a restart signal generated by the supervisory unit (14), 
the processor means (10) is connected to the further memory unit 

10 (16) and reads and executes instructions that are stored in the 
same, while the ordinary memory unit (12) is disconnected from the 
processor means (10), wherein the execution of the application that 
is controlled by said application program may continue on the basis 
of the application instructions that are retrieved from the further 

15 memory unit such that the execution of the application in question 
may continue without the necessity for the computer device to be 
disconnected. 

15. Use of a computer device according to any of the preceding 
20 claims for controlling a system that is included in an aircraft. 
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5 Datoranordning med sakerhetsfunktion 

UPPFINNINGENS BAKGRUND OCH TIDIGARE TEKNIK 

Fdreliggande uppfinning avser en datoranordning med saker- 
10 hetsfunktion for att undvika ej nodvandig nedkoppling av dator- 
anordningen, innefattande processororgan, en ordinarie minnes- 
enhet ansluten till namnda processororgan och inrattad att inne- 
lialla atminstone ett program som exekveras av processororga- 
net, en overvakningsenhet som overvakar datoranordningens 
15 funktion och som ar inrattad att, om fel uppstar, sanda en ater- 
startsignal eller stoppsignal till processororganet. 

Sadana datoranordningar ar tidigare kanda. Overvakningsen- 
heten kan exempelvis utgoras av en sa kallad "watchdog timer". 

20 US-A-4 763 296 beskriver funktionen av en sadan watchdog 
timer. En sadan anordning har saledes en timer som kontinuer- 
ligt ar 1 drift nar datoranordningen anvands. Om timern uppnar 
ett forutbestamt varde, dvs om en forutbestamd tid har lopt ut, 
sa genererar watchdog-timern en aterstartsignal som fororsakar 

25 en aterstart (reset) av datoranordningen. Under normal anvand- 
ning nollstalls timern med jamna mellanrum av processorns 
normala programforlopp. Om fel skulle uppsta, exempelvis om 
datorn exekverar en oandlig subrutin, nollstalls inte timern och 
watchdog-timern fororsakar saledes en omstart av systemet. 

30 

Aven andra typer av datoranordningar med sakerhetsfunktioner 
ar forut kanda. Saledes beskriver EP-A-481 508 en anordning 
som innefattar ett backup-minne. Nar stromforsorjningen stangs 
av till datoranordningen overfors centralprocessorns status och 
35 innehallet i ett huvudminne till namnda backup-minne. Nar se- 
dan datoranordningen ater startas genom att stromforsorjningen 
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ansluts pa nytt sa aterstalls vad som finns lagrat i backup-min- 
net. 

EP-A-265 366 beskriver en datoranordning som innefattar ett 
5 primart minne och ett backup-minne. Omkoppling fran det pri- 
mara minnet till backup-minnet gors med hjalp av en "Backup 
Control System Transfer Mechanism", Denna mekanism ar rela- 
tivt komplicerad. Vid genererlng av en power-on-reset signal sa- 
kerstaller namnda mekanism att omstart sker fran primarminnet 
10 (se spait 6, rad 21-28). 

Det foreligger ett behov av att forbattra sakerhetsfunktionen hos 
en datoranordning. Salunda finns ett behov att pa ett sakert satt 
omstarta datoranordningen nar ett fel har detekterats. Ett sadant 

15 fel som kan fororsaka fei 1 datorns drift ar exempelvis minnesfel 
som kan upptrada 1 det minne dar program finns lagrade som 
exekveras i datoranordningen. Fel kan aven fororsakas av pro- 
gramvaran som finns lagrad i datoranordningens minne. Exem- 
pelvis kan sadana fel uppsta om ny programvara anvands som 

20 inte ar fullstandigt utprovad. Vidare finns ett behov av att saker- 
stalla funktionen hos datoranordningen med relativt enkia me- 
del. Ett ytterligare problem ar att sakerstalia atminstone vissa 
basfunktioner hos datoranordningen nar olika fel uppstar. 

25 SAMMANFATTNING AV UPPFINNINGEN 

Andamaiet med foreliggande uppfinning ar att astadkomma en 
datoranordning med en tillforlitlig sakerhetsfunktlon som dess- 
utom uppnas med relativt enkia medel. 

30 

Detta andamal uppnas med den inledningsvis angivna datoran- 
ordningen som kannetecknas av en ytterligare minnesenhet som 
ar inrattad att innehalla atminstone vissa grundlaggande sy- 
steminstruktioner, varvid datoranordningen ar inrattad sa att 
35 processororganet, vid aterstart genererad av namnda aterstart- 
signal fran overvakningsenheten, kopplas upp mot den ytterii- 
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gare minnesenheten och laser och exekverar instruktioner som 
finns lagrade i denna, medan den ordinarie minnesenheten ar 
bortkopplad fran processororganet. 

5 Genom att processororganet kopplas upp mot den ytteriigare 
minnesenheten nar en aterstartsignal har genererats av over- 
vakningsenheten sa undviks att eventuella fel som fdreligger i 
de instruktioner som ar lagrade i den ordinarie minnesenheten 
overfors till processororganet. Darigenom uppnas en sakrare 

10 funktion av datoranordningen efter det att en Aterstartsignal har 
genererats som svar pa ett detekterat fel. I detta sammanhang 
bor noteras att nar 1 patentkraven och beskrivningen anges att 
en minnesenhet kopplas upp eiler ar bortkopplad fran proces- 
sororganet sa menas darmed inte nodvandigtvis att bortkoppling 

15 sker genom att fysiskt bryta forbindelsen mellan processororga- 
net och minnesenheten I fraga. Begreppen koppla upp och bort- 
koppla innefattar saledes tva mojiigheter: dels fysisk koppling 
genom brytning av forbindelsen, dels uppkoppling och bortkopp- 
ling pa programniva. 

20 

Det bor noteras att med begreppet "systeminstruktioner" avses i 
denna ansokan foretradesvis, men ej nodvandigtvis, program 
som styr ett system eller en del av ett system som styrs av 
datoranordningen, dvs begreppet "systeminstruktioner" avser 
25 applikationsinstruktioner. 

Enligt en utforingsform av uppfinningen utgor den ordinarie min- 
nesenheten och den ytteriigare minnesenheten tvA oilka, fysiskt 
separata, minnen. Darigenom uppnas okad sakerhet eftersom 
30 den ordinarie minnesenheten fdreligger som ett separat minne 
som ar helt bortkopplat fran processororganet vid aterstart. 

Enligt en alternativ utforingsform av uppfinningen utgor den or- 
dinarie minnesenheten och den ytteriigare minnesenheten tva 
35 delar av fysiskt samma minne, men med olika minnesadresser. 
Genom denna konstruktion. kravs farre minneskomponenter ef- 
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tersom den ytterligare minnesenheten finns lagrad som en spe- 
ciell del av det minne dar aven den ordinarie minnesenheten in- 
gar. 

5 Eniigt en ytterligare utforingsform av uppfinningen ar namnda 
overvakningsenhet inrattad att generera en signal i beroende av 
en timer pa sa satt att namnda aterstartsignal genereras om 
ingen trigger-signal som nollstailer timern erhalls inom ett forut- 
bestamt tidsintervall. Overvakningsenheten kan I detta fall sale- 

10 des utgoras av en sa kallad watchdog timer (WDT). En sadan 
WDT ingar ofta 1 datoranordningar. Saledes kan en sadan val 
fungerande redan befintlig WDT anvandas som overvakningsen- 
het i anordningen eniigt foreiiggande uppfinning. Det bor dock 
papekas att aven andra typer av overvakningsenheter an en 

15 WDT kan anvandas i datoranordningen eniigt uppfinningen. 

Eniigt annu en utforingsform av uppfinningen innefattar datoran- 
ordningen en minnessakerhetskrets som ar inrattad att stoppa 
inlasning fran den ordinarie minnesenheten och att koppla upp 

20 for inlasning fran namnda ytterligare minnesenhet nar bade 
namnda aterstartsignal och en signal indikerande palagd driv- 
spanning forellgger. En sadan minnessakerhetskrets ar en rela- 
tivt enkel och val fungerande krets som tillser att omkoppling 
fran den ordinarie till den ytterligare minnesenheten sker. Vidare 

25 sakerstaller denna minnessakerhetskrets att en sadan omkopp- 
ling endast sker om drivspanning till datoranordningen forelig- 
ger. 

Eniigt en ytterligare utforingsform av uppfinningen ar namnda 
30 ytterligare minnesenhet inrattad sa att den innehaller grund- 
laggande systeminstruktioner men en hog niva av funktionssa- 
kerhet. Den ytterligare minnesenheten kan harvid vara inrattad 
att innehalla systeminstruktioner som redan har varit val testade 
och som darfor har en hog funktionssakerhet. Den ytterligare 
35 minnesenheten kan harvid ocksa vara forsedd med de grund- 
laggande instruktionerna for datoranordningen medan icke nod- 
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vandiga systeminstruktioner har uteslutits fran namnda ytterli- 
gare minnesenhet. 

Enligt annu en utforingsform av uppfinningen ar namnda ytterli- 
5 gare minnesenhet inrattad sa att den innehaller systeminstruk- 
tioner med en niva av funktlonssakerhet som ar hogre an den 
niva av funktionssakerhet som foreligger 1 den ordinarie minnes- 
enheten. Saledes kan den ordinarie minnesenheten innefatta sy- 
steminstruktioner som ej ar sa val testade i datoranordningen. 

10 Den ytterligare minnesenheten kan darvid innehalla de grund- 
laggande systeminstruktionerna som redan har visat sig ha hog 
funktionssakerhet. Inom uppfinningens ram ligger givetvis aven 
mojiigheten att den ordinarie minnesenheten och den ytterligare 
minnesenheten innehaller systeminstruktioner med samma niva 

15 av funktionssakerhet. 

Enligt en ytterligare utforingsform av uppfinningen ar atminstone 
namnda ytterligare minnesenhet ett icke flyktigt minne. Detta bi- 
drar till en okad funktionssakerhet hos datoranordningen. 

20 

Enligt annu en utforingsform av uppfinningen innefattar namnda 
processororgan ett arbetsminne som ar sa inrattat att vid ater- 
start av datoranordningen nollstalls detta arbetsminne innan in- 
lasning fran namnda ytterligare minnesenhet paborjas. Darige- 
25 nom sakerstalls att instruktioner som kan innehalla fel och som 
harror fran den ordinarie minnesenheten ej kvarligger i arbets- 
minnet innan inlasning fran den ytterligare minnesenheten pa- 
borjas. 

30 Enligt en ytterligare utforingsform av uppfinningen ar namnda 
ytterligare minnesenhet inrattad att vara skrivskyddad at- 
minstone da datoranordningen ar i drift. Detta bidrar till ytterli- 
gare sakerhet eftersom innehallet i den ytterligare minnesenhe- 
ten ar skyddat och ej kan andras da datoranordningen ar i drift. 

35 
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Enligt annu en utforingsform av uppfinningen ar datoranord- 
ningen inrattad sa att om namnda aterstartsignal har genererats 
ett forutbestamt antal ganger sa genereras, om ater ett fel upp- 
star, namnda stoppsignal. Detta innebar att overvakningsenhe- 
5 ten genererar ett forutbestamt antal aterstartsignaler. Om det 
visar sig att fel forellgger aven efter det att ett forutbestamt an- 
tal aterstartforsok har gjorts sa stoppas datoranordningen. 

Enligt annu en utforingsform av uppfinningen innefattar datoran- 
ordningen omkoppilngsorgan for att manuellt generera namnda 
aterstartsignal. Detta innebar att forutom automatisk generering 
av aterstartsignal genom overvakningsenheten kan aven en ma- 
nuell aterstartsignal genereras av en operator. En operator kan 
saledes beordra att aterstart fran den ytterligare minnesenheten 
ska ske. 

En ytterligare utforingsform av uppfinningen framgar av 
patentkrav 13. Denna utforingsform kan aven kombineras med 
sardragen hos ett eller flera av patentkraven 2-12. 

Uppfinningens andamal uppnas aven med en metod enligt krav 
14. Denna metod har fordelar motsvarande de som beskrivs i 
samband med anordningen. Metoden enligt krav 14 kan aven 
kombineras med sardrag motsvarande dem som definieras i ett 
eller flera av patentkraven 2-12. 

En foredragen anvandning av datoranordningen ar att anvanda 
den for att styra ett system som ingar i olika farkoster 
exempelvis i luftfartyg. En flygfarkost har manga olika funktloner 
30 som styrs av en datoranordning. Det ar viktigt att dessa 
funktioner fungerar och att onodig nedkoppling av dator- 
anordningen eller av dess drift betraffande nagon applikation 
undviks. Detta syfte uppnas genom en anvandning enligt krav 
15. 
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KORT BESKRIVNING AV RITNINGEN 

Foreliggande uppfinning skall nu forkiaras med hjalp av en be- 
skriven utforingsform, som utgor ett exempel pa uppfinningen, 
5 och med hanvisning till den bifogade ritningen. 

Fig 1 visar schematiskt ett biockschema av en utforingsform av 
uppfinningen. 

10 DETALJERAD BESKRIVNING AV EN UTFORINGSFORIVI AV 
UPPFINNINGEN 

Fig 1 visar ett biockschema av en utforingsform av uppfinningen. 
Datoranordningen innefattar ett processororgan 10. IVIed detta 

15 processororgan 10 avses inte endast datoranordningens cen- 
trala processorenhet (CPU) utan aven andra centrala delar av 
datoranordningen sasom exempelvis arbetsminnet 22. Datoran- 
ordningen innefattar aven en ordinarie minnesenhet 12. Denna 
ordinarie minnesenhet 12 kan exempelvis utgoras av nagon form 

20 av PROM, exempelvis UVPROM, EEPROM eller liknande. Nar 
datoranordningen forst startas uppkopplas processororganet 10 
mot den ordinarie minnesenheten 12. Denna ordinarie min- 
nesenhet 12 ar saledes inrattad att innehaila de instruktioner 
som styr datoranordningens drift. Datoranordningen innefattar 

26 aven en overvakningsenhet 14. Overvakningsenheten 14 over- 
vakar datoranordningens funktion och ar inrattad att generera en 
aterstartslgnal eller stoppsignal till processororganet 10 om 
overvakningsenheten 14 detekterar ett fel. Overvakningsenheten 
14 kan exempelvis utgoras av en sa kallad watchdog timer 

30 (WDT). En sadan WDT 14 genererar en signal som beror av en 
timer 18. En aterstartslgnal genereras darvid om WDT:n 14 Inom 
ett forutbestamt tidsintervall inte erhaller en trigger-signal som 
nollstaller timern 18. For att ha hog sakerhet innefattar WDT:n 
14 lampligen en egen timer 18. Det ar dock mojiigt att WDT:ns 

35 14 timer-funktion styrs av samma klocka som ingar i 
processororganet 10. 



# 
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Datoranordningen innefattar aven en ytterligare minnesenhet 16. 
Denna ytterligare minnesenhet 16 ar inrattad att innehalla at- 
minstone vissa grundlaggande systeminstruktioner. Den ytterli- 
5 gare minnesenheten 16 kan utgora ett minne som ar fysiskt se- 
parat fran den ordinarie minnesenheten 12. Det ar aven mojiigt 
att den ordinarie minnesenheten 12 och den ytterligare minnes- 
enheten 16 utgor tva delar av fysiskt samma minne. For att yt- 
terligare oka sakerheten om ett minnesfel skulle uppsta kan den 
10 ordinarie minnesenheten 12 och den ytterligare minnesenheten 
16 utgoras av fysiskt separata minnen av olika typ, exempelvis 
fran olika tillverkare. Den ytterligare minnesenheten utgors 
lampligen av nagon form av PROM, exempelvis UVPROM eller 
EEPROM. 

15 

Datoranordningen innefattar aven en minnessakerhetskrets 20. 
Denna minnessakerhetskrets 20 kan inga som en del av proces- 
sororganet 10. 1 den visade utforingsformen utgor emeilertid 
minnessakerhetskretsen 20 en separat krets. Minnessakerhets- 

20 kretsen 20 innefattar en AND-grind 21. Minnessakerhetskretsen 
20 styr vilken av den ordinarie minnesenheten 12 och den ytter- 
ligare minnesenheten 16 som skall vara inkopplad till processor- 
organet 10. Denna styrning kan antingen utgoras av brytning 
eller slutning av den elektriska forbindeisen mellan respektive 

25 minnesenhet 12, 16 och processorenheten 10 eller ocksa utgo- 
ras av styrning pa programniva av dessa fdrbindelser. Det ar 
aven mojiigt att styrningen utgors av en kombination av pro- 
gramvaruinstruktioner och fysisk brytning elier slutning. AND- 
grindens ena ingang ar ansluten till en ledning 23 som indikerar 

30 att drivspanning fdreligger. AND-grindens 21 andra ingang ar 
ansluten till en ledning 25 som ar forbunden med WDT:n 14. Via 
denna ledning 25 leds en av WDT:n 14 genererad aterstartsignal 
till AND-grinden 21 och darmed till minnessakerhetskretsen 20. 

35 Datoranordningen innefattar aven ett omkopplingsorgan 24 for 
att manuellt generera en aterstartsignal. Detta omkopplingsor- 
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gan 24 kan lampligen vara anslutet till den ingang hos AND- 
grinden som aven ar ansluten till WDT:n 14. 

WDT:n 14 overvakar saledes datoranordningens funktion. Nar 
5 datoranordningen fungerar normalt erhaller WDT:n 14 med 
jamna mellanrum en trigger-signal fran processororganet 10. 
Denna trigger-signal nollstaller timern 18. Darvid genererar 
WDT:n 14 ingen §terstartsignal till ledningen 25. Om emellertid 
fel uppstar sa att WDT:n 14 ej erhaller nagon trigger-signal inom 

10 ett forutbestamt tidsintervall frin processororganet 10 s^ gene- 
rerar WDT:n 14 en aterstartsignal. Denna aterstartsignal leds 
saledes till den ena ingangen hos AND-grinden 21. Nar AND- 
grinden 21 erhaller en sadan aterstartsignal, och om samtidigt 
AND-grindens 21 andra ingang detekterar att drivspanning fore- 

15 ligger, sa tillser minnessakerhetskretsen 20 att den ordinarie 
minnesenheten 12 kopplas bort fran processororganet 10 och att 
den ytterligare minnesenheten 16 kopplas upp mot processoror- 
ganet 10. Aven processororganet 10 erhaller en signal, lampli- 
gen fran WDT:n 14, om att aterstart skall genomforas. Proces- 

20 sororganets 10 arbetsminne 22 nollstalls darvid, varefter inlas- 
ning fran den ytterligare minnesenheten 16 sker. Inlasning sker 
darvid till forutbestamda adresser hos arbetsminnet 22. Proces- 
sororganet 10 laser och exekverar saledes de instruktioner som 
finns lagrade I den ytterligare minnesenheten 16. 

25 

Det ar tankbart att ett aterstartforsok misslyckas och att WDT:n 
14 darfor genererar en ny Aterstartsignal. Om Anyo fel detekte- 
ras kan ytterligare aterstartsignaler genereras av WDT:n 14. 
Datoranordningen ar darvid lampligen inrattad sa att nar ett for- 

30 utbestamt antal aterstartforsok har gjorts sa stoppas aterstart- 
forsoken. Darvid kan en varningsfunktion genereras av datoran- 
ordningen och senaste information betraffande processororga- 
nets 10 och minnesenheternas 12, 16 status kan registreras for 
senare analys. Lampligen ar datoranordningen inrattad sa att 

35 aterstartforsoken stoppas efter exempelvis ett till fyra aterstart- 
forsok, foretradesvis efter tva aterstartforsok. Datoranordningen 
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kan darvid vara inrattad sa att aterstartforsoken stoppas om 
namnda forutbestamda antal aterstartforsok har genomforts 
inom ett forutbestamt tidsintervall. 

5 For okad sakerhet ar lampligen den ytterligare minnesenheten 
16 inrattad sa att den ar skrivskyddad nar datoranordningen ar i 
drift. Vidare utgors lampligen saval den ordinarie minnesenheten 
12 som den ytterligare minnesenheten 16 av icke flyktiga min- 
nen. 

10 

Den ytterligare minnesenheten 16 ar lampligen inrattad sa att 
den innehaller grundlaggande systeminstruktioner vid en hog 
niva av funktionssakerhet. Den ytterligare minnesenheten 16 
kan darvid innehalla primara och valutprovade systemfunktioner. 

15 Lampligen ar den ytterligare minnesenheten 16 inrattad sa att 
den darvid innehaller systeminstruktioner med en hogre niva av 
funktionssakerhet an de systeminstruktioner som foreligger i den 
ordinarie minnesenheten 12. Med uttrycket "niva av funktionssa- 
kerhet" kan harvid exempelvis avses de programvarusakerhets- 

20 nivaer som definierats enligt RTCA-standard dokument 
NO.RTCA/DO-178B. 

Datoranordning enligt uppfinningen kan foretradesvis vara 
inrattad for att sakerstalla normalfunktionen hos datoranord- 

25 ningen under exekvering ett applikationsprogram aven nar ett fel 
upptrader som annars skulle leda till nedkoppling och avstang- 
ning av datoranordningen, elier atminstone till att exekveringen 
av applikationsprogrammet i fraga avbryts. Den ordinarie 
minnesenheten 12 innehaller saledes ett applikationsprogram 

30 som exekveras av processororganet 10. Om fel uppstar i 
exekveringen av atminstone namnda applikationsprogram 
kopplas processororganet 10 upp mot den en ytterligare 
minnesenheten 16 som ar inrattad att innehalla atminstone vissa 
grundlaggande, redan tidigare anvanda och sakra applikations- 

35 instruktioner. Datoranordningen ar saledes inrattad sa att 
exekveringen av applikationen som styrs av applikations- 
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programmet kan fortsatta pa basis av de applikations- 
instruktioner som hamtats fran den ytterligare minnesenheten. 

Enligt en metod enligt uppfinningen sker, om fel uppstar, 
5 uppkoppling mot den ytterligare minnesenheten 16 som inne- 
haller atminstone vissa grundiaggande applikationsinstruktloner. 
Darigenom kan exekveringen av applikationen som styrs av ett 
applikationsprogram fortsatta pa basis av de applikations- 
instruktioner som hamtats fran den ytterligare minnesenheten 
10 och som inlases pa ett normalt och traditionellt satt till 
processororganet 10 med normal noilstallning av arbetsminnet 
22. 

Datoranordningen enligt uppfinningen kan med fordel anvandas 
15 for att styra ett system som ingar i en flygfarkost. 

Foreliggande uppfinning ar inte begransad till den visade utfo- 
ringsformen utan kan varieras och modifieras inom ramen for de 
efterfoljande patentkraven. 

20 
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Patentkrav 

1. Datoranordning med sakerhetsfunktion for att undvika ej 
nodvandig nedkoppling av datoranordnlngen, Innefattande 

processororgan (10), 

en ordinarie minnesenhet (12) ansluten till namnda pro- 
cessororgan (10) och Inrattad att innehalla atminstone ett pro- 
gram som exekveras av processororganet (10), 

en overvakningsenhet (14) som overvakar datoranordnlng- 
ens funktlon och som ar inrattad att, om fel uppstar, sanda en 
iterstartsignal eller stoppsignal till processororganet (10), 

kannetecknad av 

en ytterligare minnesenliet (16) som ar inrattad att inne- 
halla atminstone vissa grundlaggande systeminstruktioner, var- 
vid datoranordnlngen ar inrattad sa att processororganet (10), 
vid aterstart genererad av namnda aterstartsignal fran overvak- 
ningsenheten (14), kopplas upp mot den ytterligare minnesen- 
heten (16) och laser och exekverar instruktioner som finns lag- 
rade i denna, medan den ordinarie minnesenheten (12) ar bort- 
kopplad fran processororganet (10). 

2. Datoranordning enligt krav 1, varvid den ordinarie minnes- 
enheten (12) och den ytterligare minnesenheten (16) utgor tva 
olika, fysiskt separata, minnen. 

3. Datoranordning enligt krav 1, varvid den ordinarie minnes- 
enheten (12) och den ytterligare minnesenheten (16) utgor tv§ 
delar av fysiskt samma minne, men med olika minnesadresser. 

4. Datoranordning enligt nagot av foregaende krav, varvid 
namnda overvakningsenhet (14) ar inrattad att generera en sig- 
nal i beroende av en timer (18) pa sa satt att namnda aterstart- 
signal genereras om ingen trigger-signal signal som nollstaller 
timern (18) erhalls inom ett forutbestamt tidsintervall. 
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5. Datoranordning enligt nagot av foregaende krav, innefat- 
tande en minnessakerhetskrets (20) som ar inrattad att stoppa 
inlasning fran den ordinarie minnesenheten (12) och att koppla 
upp for inlasning fran namnda ytteriigare minnesenhet (16) nar 

5 bade namnda aterstartsignal och en signal indikerande palagd 
drivspanning fdreligger. 

6. Datoranordning enligt nagot av foregaende krav, varvid 
namnda ytteriigare minnesenhet (16) ar inrattad sa att den inne- 

10 haller grundlaggande systeminstruktioner med en hog nivdi av 
funktionssakerhet. 

7. Datoranordning enligt krav 6, varvid namnda ytteriigare 
minnesenhet (16) ar inrattad sa att den innehaller systemin- 

15 struktioner men en niva av funktionssakerhet som ar hogre an 
den niva av funktionssakerhet som foreligger i den ordinarie 
minnesenheten (12). 

8. Datoranordning enligt nagot av foregaende krav, varvid at- 
20 minstone namnda ytteriigare minnesenhet (16) ar ett icke flyktigt 

minne. 

9. Datoranordning enligt nagot av foregaende krav, varvid 
namnda processororgan (10) innefattar ett arbetsminne (22) 

25 som ar sa inrattat att vid aterstart av datoranordningen nollstalls 
detta arbetsminne (22) innan inlasning fran namnda ytteriigare 
minnesenhet (16) pabdrjas. 

10. Datoranordning enligt nigot av foregaende krav, varvid 
30 namnda ytteriigare minnesenhet (16) ar inrattad att vara skriv- 

skyddad atminstone da datoranordningen ar i drift. 

11. Datoranordning enligt nagot av foregaende patentkrav, in- 
rattad sa att om namnda aterstartsignal har genererats ett forut- 

35 bestamt antal ganger sa genereras, om ater ett fel uppstar, 
namnda stoppsignal. 
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12. Datoranordning enligt nagot av foregaende krav, innefat- 
tande omkopplingsorgan (24) for att manuellt generera namnda 
aterstartsignal. 

5 

13. Datoranordning inrattad for att sakerstalla 
normalfunktlonen hos datoranordnlngen under exekvering av 
atminstone ett applikationsprogram aven nar ett fel upptrader 
som normalt leder till nedkoppling och avstangning av 

10 datoranordnlngen eller atminstone nedkoppling vad avser 
namnda applikationsprogram, vilken datoranordning innefattar 
processororgan (10), 

en ordlnarie minnesenhet (12) ansluten till namnda pro- 
cessororgan (10) och inrattad att innehalla atminstone ett 

15 applikationsprogram som exekveras av processororganet (10), 

en overvakningsenhet (14) som overvakar datoranordning- 
ens funktion och som ar inrattad att, om fel uppstar i 
exekveringen av atminstone namnda applikationsprogram sanda 
en aterstartsignal eller stoppsignal till processororganet (10), 

20 kannetecknad av 

en ytterligare minnesenhet (16) som ar inrattad att inne- 
halla atminstone vissa grundlaggande applikatlonsinstruktioner, 
varvid datoranordnlngen ar Inrattad sS att alltid nar aterstart 
sker som svar pa en aterstartsignal genererad av overvak- 

25 ningsenheten (14), processororganet (10) kopplas upp mot den 
ytterligare minnesenheten (16) och laser och exekverar 
instruktloner som finns lagrade 1 denna, medan den ordlnarie 
minnesenheten (12) ar bortkopplad fran processororganet (10), 
varvid datoranordnlngen ar inrattad sd att exekveringen av 

30 applikationen som styrs av namnda applikationsprogram kan 
fortsatta pa basis av de applikationsinstruktioner som hamtats 
fran den ytterligare minnesenheten, varvid exekveringen av 
applikationen i fraga kan fortsatta utan att datoranordnlngen 
behover kopplas ned. 



35 
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14. En metod for att sakerstalla normalfunktionen hos en 
datoranordningen under exekvering av itminstone ett 
applikationsprogram aven nar ett fel upptrader som normalt 
leder till nedkoppling och avstangning av datoranordningen eller 
atmlnstone nedkoppling vad avser namnda applikationsprogram, 
vilken datoranordning innefattar 
processororgan (10), 

en ordinarie minnesenhet (12) ansluten till namnda pro- 
cessororgan (10) och inrattad att innehalla atminstone ett 
applikationsprogram som exekveras av processororganet (10), 

en overvakningsenhet (14) som overvakar datoranordning- 
ens funktion och som ar inrattad att, om fel uppstar i 
exekveringen av atminstone namnda applikationsprogram sanda 
en aterstartsignal eller stoppsignal till processororganet (10). 

en ytterligare minnesenhet (16) som ar inrattad att inne- 
halla atminstone vissa grundlaggande applikationsinstruktioner, 

vilken metod innefattar att alltid nar aterstart sker som svar 
pa en aterstartsignal genererad av overvakningsenheten (14). 
sa kopplas processororganet (10) upp mot den ytterligare 
minnesenheten (16) och laser och exekverar instruktioner som 
finns lagrade i denna, medan den ordinarie minnesenheten (12) 
ar bortkopplad fran processororganet (10), varlgenom 
exekveringen av applikationen som styrs av namnda 
applikationsprogram kan fortsatta pa basis av de 
applikationsinstruktioner som hamtats fr§n den ytterligare 
minnesenheten sa att exekveringen av applikationen i fraga kan 
fortsatta utan att datoranordningen behover kopplas ned 

15. Anvandning av en datoranordning enligt n^got av 
foregaende krav for att styra ett system som ingar i en 
flygfarkost. 



PCT/SEOO/01847 
22.09.2000 



16 



Sammandraa 

Uppfinningen avser en datoranordning med sakerhetsfunktion 
for att undvika ej nodvandig nedkoppling av datoranordningen. 
5 Datoranordningen innefattar processororgan (10), en ordinarie 
minnesenhet (12), en overvakningsenhet (14) och en ytterligare 
minnesenhet (16). Datoranordningen ar inrattad sa att proces- 
sororganet (10) vid en aterstart genererad av en dterstartsignal, 
kopplas upp mot den ytterligare minnesenheten (16) och laser 
10 och exekverar de instruktloner som finns lagrade 1 denna, me- 
dan den ordinarie minnesenheten (12) ar bortkopplad fran pro> 
cessororganet (10). 

(Fig 1) 

15 
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Claims 

1. A computer device with a safety function for avoiding non 
necessary disconnection of the computer device, comprising 

5 processor means (10), 

an ordinary memory unit (12) connected to said processor 
means (10) and arranged to comprise at least one program that is 
executed by the processor means (10), 

a supervisory unit (14) that supervises the function of the 
10 computer device and that is arranged to, in case an error occurs, 
send a restart signal or a stop signal to the processor means (10), 
characterised bv 

a further memory unit (16) that is arranged to comprise at 
least some basic system instructions, wherein the computer device 
15 Is arranged such that the processor means (10), at a restart 
generated by said restart signal from the supervisory unit (14), is 
connected to the further memory unit (16) and reads and executes 
instructions that are stored in the same, while the ordinary memory 
unit (12) is disconnected from the processor means (10). 

20 

2. A computer device according to claim 1, wherein the ordinary 
memory unit (12) and the further memory unit (16) constitute two 
different, physically separate, memories. 

25 3. A computer device according to claim 1 . wherein the ordinary 
memory unit (12) and the further memory unit (16) constitute two 
parts of physically the same memory, but with different memory 
addresses. 

30 4. A computer device according to any of the preceding claims, 
wherein said supervisory unit (14) is arranged to generate a signal 
in dependence of a timer (18) in such a manner that said restart 
signal is generated if no trigger-signal signal that sets the timer (18) 
to zero is received within a predetermined time interval. 

35 

5. A computer device according to any of the preceding claims, 
comprising a memory safety circuit (20) that is arranged to stop the 
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reading from the ordinary memory unit (12) and to connect for 
reading from said further memory unit (16) when both said restart 
signal and a signal indicating applied supply voltage is the case. 

5 6. A computer device according to any of the preceding claims, 
wherein said further memory unit (16) is arranged such that it 
comprises basic system instructions with a high degree of reliability. 

7. A computer device according to claim 6, wherein said further 
10 memory unit (16) is arranged such that it comprises system 

instructions with a degree of reliability that is higher than the degree 
of reliability that is the case in the ordinary memory unit (12). 

8. A computer device according to any of the preceding claims, 
15 wherein at least said further memory unit (16) is a non-volatile 

memory. 

9. A computer device according to any of the preceding claims, 
wherein said processor means (10) comprises a working memory 

20 (22) that is arranged such that at a restart of the computer device 
this working memory (22) is reset before reading from said further 
memory unit (16) is started. 

10. A computer device according to any of the preceding claims, 
25 wherein said further memory unit (16) is arranged to be write 

protected at least when the computer device is in operation. 

11. A computer device according to any of the preceding claims, 
arranged such that if said restart signal has been generated a 

30 predetermined number of times, then, in case an error occurs again, 
said stop signal is generated. 

12. A computer device according to any of the preceding claims, 
comprising a switching member (24) for manually generating said 

35 restart signal. 
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13. A computer device arranged to secure the normal function of 
the computer device under the execution of at least one application 
program also when an error occurs that normally leads to 
disconnection and shut-off of the computer device or at least to 
5 disconnection concerning said application program, which computer 
device comprises 

processor means (10), an ordinary memory unit (12) connected to 
said processor means (10) and arranged to comprise at least an 
application program that is executed by the processor means (10), 
10 a supervisory unit (14) that supervises the function of the computer 
device and that is arranged to, In case an error occurs in the 
execution of at least said application program, send a restart signal 
or a stop signal to the processor means (10), 
characterised bv 

15 a further memory unit (16) that is arranged to comprise at least 
some basic application instructions, wherein the computer device is 
arranged such that always when a restart takes place in response 
to a restart signal generated by the supervisory unit (14), the 
processor means (10) is connected to the further memory unit (16) 

20 and reads and executes instructions that are stored in the same, 
while the ordinary memory unit (12) is disconnected from the 
processor means (10), wherein the computer device is arranged 
such that the execution of the application that is controlled by said 
application program may continue on the basis of the application 

25 instructions that are retrieved from the further memory unit, wherein 
the execution of the application in question may continue without 
the necessity for the computer device to be disconnected. 

14. A method for securing the normal function of a computer 
30 device under the execution of at least one application program also 
when an error occurs that normally leads to disconnection and shut- 
off of the computer device or at least to disconnection concerning 
said application program, which computer device comprises 
processor means (10), 
35 an ordinary memory unit (12) connected to said processor means 
(10) and arranged to comprise at least one application program that 
is executed by the processor means (10), 
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a supervisory unit (14) that supervises the function of the computer 
device and that is arranged to, in case an error occurs in the 
execution of at least said application program, send a restart signal 
or a stop signal to the processor means (10), 
5 a further memory unit (16) that is arranged to comprise at least 
some basic application instructions, 

which method comprises that always when a restart takes place in 
response to a restart signal generated by the supervisory unit (14), 
the processor means (10) is connected to the further memory unit 

10 (16) and reads and executes instructions that are stored in the 
same, while the ordinary memory unit (12) is disconnected from the 
processor means (10), wherein the execution of the application that 
is controlled by said application program may continue on the basis 
of the application instructions that are retrieved from the further 

15 memory unit such that the execution of the application In question 
may continue without the necessity for the computer device to be 
disconnected. 

15. Use of a computer device according to any of the preceding 
20 claims for controlling a system that is included in an aircraft. 
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